On Evaluating Adversarial Robustness (video)

Nicholas Carlini

Abstract:

Several hundred papers have been written over the last few years proposing defenses to adversarial examples (test-time evasion attacks on machine learning classifiers). In this setting, a defense is a model that is not easily fooled by such adversarial examples. Unfortunately, most proposed defenses to adversarial examples are quickly broken.

This talk examines the ways in which defenses to adversarial examples have been broken in the past, and what lessons we can learn from these breaks. Begin with a discussion of common evaluation pitfalls when performing the initial analysis, it then turns to recommendations for how we can perform more thorough defense evaluations.

Bio: Nicholas Carlini is a research scientist at Google Brain. He analyzes the security and privacy of machine learning, for which he has received best paper awards at IEEE S&P and ICML. He graduated with his PhD from the the University of California, Berkeley in 2018.